Understanding Safety / SMS Basic

Risk Management

Risk management is the main activity of an SMS. It is the second pillar of the ICAO SMS framework and it encompasses the assessment and mitigation of risk. Risk is defined as the exposure to a hazard, i.e. the probability of a hazard being released, but also the severity this hazard could cause. Risk is therefore calculated as the product of probability X severity.

The risk assessment process is the documented process of identifying and calculating the risk; and most importantly mitigating the effects of risk in the operations. Safety Risk Assessment can be described in a 7-step process.

  1. Describe the scenario/ system
  2. Identify the hazards
  3. Estimate of potential outcomes and consequences (Severity)
  4. Estimate probability and assign the risk product (Severity X Probability)
  5. Evaluate Risk from Risk Index
  6. Mitigate actions and controls
  7. Re-evaluate and document
Risk assessment

1. System Description

The definition stage of safety risk assessment. The system or the procedure or the new operation, has to be described in order to have a clear picture of the its purpose, its usage, the functions carried, the boundaries through which it can move-operate and the interface with other systems/ procedures.

2. Hazard Identification

Identify the hazards relates to the system and create the hazard log

3. Potential Outcomes - Severity

Asses the possible outcomes and the consequences. Most times the worst outcome would be a failure of the system which could lead to accident and multiple fatalities. Remember that risk assessment is subjective and the consequences can be debated in every case. However, for the need of the safety risk, we take the worst outcome. There are two ways to define the outcome. Either as the defining result, e.g. accident/ major incident/ minor incident/ event/ no immediate effect, or by giving values based on the consequence, e.g. Catastrophe/ Hazardous/ Major/ Minor/ Negligible. Severity can be broken down to different aspects, like consequences to human lives, to equipment, to premises, to the environment or the financial implications. We always categorise the severity based on the category with the worst outcome. The following example is given by ICAO

Level Description Safety of aircraft Physical Injury Damage to Assets Revenue Loss Damage to environment Damage to corporate reputation
1 Insignificant No significance to aircraft related operational safety No injury No damage No Loss No effect No implication
2 Minor Degraded procedures or performance Minor Injuries Minor damage less than $____ Minor loss less than $_____ Minor effect Limited - Localised
3 Moderate Partial loss, significant system abnormalities- degradation Serious injury Substantial Damage less than $_____ Substantial Loss less than $_____ Contained effect Regional Implication
4 Major Complete failure of major aircraft systems, emergency application of procedures Single Fatality Major damage Less than $_____ Major loss less than $____ Major effect National Implication
5 Catastrophe Aircraft Loss / Accident Multiple fatalities Catastrophic damage more than $____ Massive loss more than $____ Massive effect International Implication

4. Assess the probability

The probability part of the risk can be tricky to identify. One can choose the standard industry values, or if the organisation has enough data, it can choose its own metrics. We can have 5 values for probability, Extremely Improbable/ Improbable/ Remote/ Occasional / Frequent. These values can be defined either a qualitative term, or as a quantitative term. One can give a statistical – mathematical value (e.g. 1x10-1000) or choose a more practical way like events per day/year.

The following example is given by ICAO

Level Descriptor Likelihood description
A / 5 Certain/frequent Is expected to occur in most circumstances
B / 4 Likely/occasional Will probably occur at some time
C / 3 Possible/remote Might occur at some time
D / 2 Unlikely/improbable Could occur at some time
E / 1 Exceptional May occur only in exceptional circumstances
Level Descriptor Likelihood description
5 Certain/frequent (E) Happened in this location more than 3 times
4 Likely/occasional (D) Happened in the company more than 3 times
3 Possible/remote (C) Happened in this company
2 Unlikely/improbable (B) Known in aviation industry
1 Exceptional (A) Unknown but possible in the aviation industry

5. Risk Evaluation

Risk is the product of Severity X Probability. We can create a matrix with two values along the axis and come up with the Risk Index. Risk index has three categories: Unacceptable (Red), Review (Yellow), Acceptable (Green). Risk index matrix can be as big as one wishes. This mean that it can be define more values for severity or probability for more accurate risk assessment, meaning also it can have more categories (more colours). However, this would lead to unnecessary big data values. Increasing the category levels can be helpful if the organisation wishes to define extra categories, e.g. review within a specified period, or acceptable but review within the next quarter etc.

Probability 1. Insignificant 2. Minor 3. Moderate 4. Major 5. Catastrophic
A/5. Certain/frequent 1A/ 5 2A / 10 3A / 15 4A / 20 5A / 25
B/4. Likely/occasional 1B/ 4 2B / 8 3D / 12 4B / 16 5B / 20
C/3. Possible/remote 1C/ 3 2C / 6 3C / 9 4C / 12 5C / 15
D/2. Unlikely/improbable 1D / 2 2D / 4 3B / 6 4D / 8 5D / 10
E/1. Exceptional 1E / 1 2E / 2 3E / 3 4E / 4 5E / 5

In the below matrix we see an example of a 5-colour coding. It is up to the decision of the company and the approval of the Authority to classify the light red as unacceptable or not, depending on the severity of the system being assessed.

Probability 1. Insignificant 2. Minor 3. Moderate 4. Major 5. Catastrophic
A/5. Certain/frequent 1A/ 5 2A / 10 3A / 15 4A / 20 5A / 25
B/4. Likely/occasional 1B/ 4 2B / 8 3D / 12 4B / 16 5B / 20
C/3. Possible/remote 1C/ 3 2C / 6 3C / 9 4C / 12 5C / 15
D/2. Unlikely/improbable 1D / 2 2D / 4 3B / 6 4D / 8 5D / 10
E/1. Exceptional 1E / 1 2E / 2 3E / 3 4E / 4 5E / 5

6. Control and mitigations

Mitigation strategies must be clear, implementable and documented. Some mitigation strategies are: revising the system, modifying some parts of it, increasing the staffing requirements, training and awareness, contingency features; whilst some controls are: eliminate procedure all together, reduce the level of exposure (reduce the frequency), provide safety devices, provide warnings, provide safety procedures (checklists etc).

ALARP: we always aim to reduce as much as possible using the available tools and resources. As long as the risk index is not in the unacceptable area we can move further. It is a good practise though to try to reduce the risk as much as possible (within the financial and operational boundaries). Contrary to the Acceptable Level of Safety which is defined by the Regulator, ALAPR is a corporate definition as it comes down to the financial distress. There is always a level of risk remaining, which is residual risk and it can be defined as the risk remaining after controls and mitigation strategies have been applied.

7. As a final step we need to document the whole process, archive it and notify-communicate our decisions. The notification must include the timeframe for the controls and mitigation strategies, the prioritisation and the process owner. The documentation process can involve arguments and evidences towards the decision taken.